Defender for Office365
Comparer la conf Safe Links avec les reco Microsoft : the configuration analyzer
Defender for Endpoint
Microsoft Defender for Endpoint Plan 1 includes security reports and attack surface reduction (ASR). Features like advanced hunting and device discovery are available under Plan 2, and digital certificate assessment requires an additional vulnerability add-on.
| Fonctionnalité | Usage |
| Security baselines assessment | Compare the configuration of the devices against industry standard benchmarks |
| Cloud discovery snapshot report | Identify cloud apps used |
| Assessment job | Schedule scan of network device |
| Device compliance policy | Block device based on the machine risk score |
| Custom network indicator + Indicator | Block access to a specific malicious website |
| Remediation request | Block vulnerable app until the app is updated |
| File indicator | Block an application executable based on a file hash |
| Tamper protection | Prevent antivirus and real-time protection on the devices from being modified or disabled |
| troubleshooting mode | Configure antivirus and real-time protection |
| Endpoint Detection and Response | Review vulnerability management recommendations for the device |
Restrict users from accessing the Device security settings and the Account protection settings in Windows Defender Security Center on the devices :
- Policy type : Endpoint security policy
- Template : Windows Security Experience
To collect forensic information and run a PowerShell script on the device, you should select ‘Initiate Live Response Session.’ This action allows interactive investigation capabilities, including executing scripts and other live response actions.
Defender for Cloud Apps
Enables the real-time monitoring of user activities : Conditional Access App Control
Monitor activities performed by members : Scoped deployment and privacy & user groups
You need to create a policy to block users from accessing discovered apps that have a risk score of 4 or lower : Menu « +add a filter » & « Tag app as unsanctioned »
After register a cloud app named App1 in Microsoft Entra ID, you need to Create an access policy for App1 : First, configure an app connector to Defender for Cloud Apps
You need to identify which shadow IT apps users connect to by using Cloud Discovery in Microsoft Defender for Cloud Apps : First, a cloud discovery snapshot report
You need to ensure that events originating from the on-premises network are categorized automatically as Administrative : Create an IP Address range
You need to ensure that an alert is generated when an app is registered in Microsoft Entra and is assigned the Directory.ReadWrite.All Microsoft Graph permission : an Oauth apps policy
Which two types of policy rely on Conditional Access App Control ? Access policy & session policy
You need to use Microsoft Defender for Cloud Apps to monitor user mailbox activities : Create an activity policy
You need to create a Microsoft Defender for Cloud Apps policy to block User1 from printing from App1 : Session policy
A quel moment je veux agir :
- Au moment de la connexion : Access policy
- Bloquer ou autoriser l’accès à une app
- Pendant la session en temps réel : Session policy
- Restreindre certaines actions
- Après coup, sur ce qui s’est passé : Activity policy
- Surveiller, alerter, automatiser une réponse